-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Release of containers for OSP 16.2.z director operator tech preview Advisory ID: RHSA-2022:2183-01 Product: Red Hat OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:2183 Issue date: 2022-05-11 CVE Names: CVE-2018-25032 CVE-2019-11253 CVE-2019-19794 CVE-2020-15257 CVE-2021-29482 CVE-2021-32760 CVE-2022-1154 CVE-2022-1271 ==================================================================== 1. Summary: Red Hat OpenStack Platform 16.2 (Train) director Operator containers are available for technology preview. 2. Description: Release osp-director-operator images Security Fix(es): * golang: kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote (CVE-2019-11253) * golang: golang-github-miekg-dns: predictable TXID can lead to response forgeries (CVE-2019-19794) * golang: containerd: unrestricted access to abstract Unix domain socket can lead to privileges (CVE-2020-15257) * golang: ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482) * golang: containerd: pulling and extracting crafted container image may result in Unix file permission changes (CVE-2021-32760) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 3. Solution: OSP 16.2 Release - OSP Director Operator Containers tech preview 4. Bugs fixed (https://bugzilla.redhat.com/): 1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service 1786761 - CVE-2019-19794 golang-github-miekg-dns: predictable TXID can lead to response forgeries 1899487 - CVE-2020-15257 containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation 1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service 1982681 - CVE-2021-32760 containerd: pulling and extracting crafted container image may result in Unix file permission changes 2079447 - Rebase tech preview on latest upstream v1.2.x branch 5. References: https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2019-11253 https://access.redhat.com/security/cve/CVE-2019-19794 https://access.redhat.com/security/cve/CVE-2020-15257 https://access.redhat.com/security/cve/CVE-2021-29482 https://access.redhat.com/security/cve/CVE-2021-32760 https://access.redhat.com/security/cve/CVE-2022-1154 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYnvx49zjgjWX9erEAQifFg//TCQNGh/8hkZ1S3v71P6N+j3RHuuxNg3G 1vq4Per7WcfFjeyBw/LCFp+Ul8Qb7XgtAAY1L5FW4m6uUgrgqcd3RtGS1m5xbO9/ jyRo90kvUEfh1kIJXFVBf5OOI9r0BaYcxlmdAmL7nDZTTQJyjjSHKv0XN/4Ic7r7 +R6TtwDNy2RlcPY6pggctR6MuxxUqsgkVWcfHBABcdvMyF2XEmrPkC9tzQXx6BdP 8HpxlvD2J/MXthqAcKxqPEmszOV41JTwsi/SFdk+5aA5XLlFwrNHvCRyK0FANO0P sM1EdU1ZnUK/Jo0G2xmMG+aExLC1IPaAQ0yA0LvBoV0Wh0oh3pJDB+8BVjnCJk3o AwdcNb+FOUaI4ZHlJ0wMQki97HyBazTG3NMVCfvko8/LCgkBA8ROQRSxOOjxhG0J T5uO0QYi16wWUQMmBj9S2LW0IX/iTpI4POTlVXD6b9PUR3WQ4bki4s1D61Ub7Uny /QCRDMAxQSZ4xFhfX+d3Q3V35C9Kyg3Bhce5KdDGmp1mVZRh1NmG46IW/1/GWfpv JljVcvbWH/4+rRF3fN7h2jAULRRziCeLin+noj1hqPTR+5DnNbGammKZjU8RafcA 4WbJO5kCqE4mjSfzPgyd26CxzES5vtlIpjYlglGfNwcCOc/oXshtARjrusOHfb1r uegJW1UHUAo=ny/g -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce